Making Entitlements in AD Understandable to the BusinessRob de JongSenior Program ManagerMicrosoft Corporation
SIA314
Agenda
• Overview• Security Groups and Roles• Experiences
• Role Mining• Attestation • Self Service
• Managing Security Groups with BHOLD
Introduction
• Rob de Jong• Program Manager in the Active Directory team for
BHOLD• Previously worked for more than 10 years as a Lead
Architect with BHOLD Company• Did more than 25 implementations of Role Based
Access Control software products with Medium and Large customers
Problem
• Security Groups are the representation of Entitlements, and they’re out of control• Explosion of SGs – token bloat – why are users in so
many groups?• Lack of control over group lifecycle – when can a group
be deleted? Who owns it? What resources rely upon it?• People call up helpdesk to ask Admins to put them into
groups – but helpdesk doesn’t know if they should be in the group or not
Context• FIM and BHOLD
• History of FIM • Add a user to a security group• With a workflow• With an approval process• Or automatically (dynamic groups)
• What’s added in R2 – historical reporting• See which user got a new group membership and who approved
• What’s added with BHOLD • Automatic assignments based on user attributes• Requests and approvals for multiple groups rolled up in one
Role• Attestation process• Role Mining
Roles – new in FIM2010 R2• What is a Role?
• A way to categorize User relationships to Groups• Allows for automated provisioning through policies
• Better experiences to Groups• Collect multiple Groups to Roles • Associate Roles with OUs (projects, departments) • Associate Roles with User Attributes (job titles, locations,
managers)• Can give meaningful names to Roles
• Can track relationship between SGs
How do Roles work?• Roles have members
• Users that are automatically linked through Orgunit memberships or attribute values
• Manually linked through Self Service Requests• Directly linked by the Administrator
• Roles have content• Active Directory groups, modeled as Permissions• Access rights in other applications, modeled as Permissions• Other Roles
• Roles can be inherited throughout the Orgunit structure• When a User gets a Role, the contents of the Role are linked to the
User• This triggers provisioning instructions through FIM2010 into the
target applications
Recap Roles• Roles group Access Rights – AD Groups, other
apps• Roles are created…
• Automatically, based on HR data• Manually
• Roles are linked to Users…• Automatically, based on HR data• Manually, through…
• Self Service Request and Approval• Direct link in BHOLD Portal
• Roles trigger provisioning to targets – AD, other apps
Automatic Provisioning
• New Employee data coming from HR flows into BHOLD through FIM2010
• BHOLD automatically links the new employee to Roles based on HR information – Department, Job Title,…
• BHOLD calculates group memberships based on roles
• Group memberships are provisioned into AD through FIM2010
• Changes in Employee data automatically trigger recalculation of group memberships in BHOLD
MVSource HR Active
Directory
CS
CSCS
FIM Sync Svc
BHOLD Components
and data flow
FIM Components
and data flow
HR
MA
BHOLD
MAMA
MV Extn
Automatic Provisioning Dataflow
Employees, OU’s,
Accounts & Groups
Group Membership
s
AD
MA
RBAC
Groups and Accounts
Employees and HR OU’s
Group Membership
s
Recap Automatic Provisioning
• Takes care of Day 0 provisioning, based on HR data• Updates user access rights when HR data changes• Fully automated, no interaction needed• Will typically take care of 40% – 60% of your
provisioning needs
Role Definition
• Where do roles come from? • Automatic Roles
• Created for each Organizational Unit• Created for each Attribute you configure• Created for each user
• Manual Roles• Can be freely created• Can be assigned manually or used for Self Service
Role Mining
• How can statistics help to create role content?• Which Role Types can you generate?• How can you do that in a test environment?
Role Types• Membership Roles
• Inherited by the Users in the Organizational Unit• Inherited through the Organizational Unit tree
• Attribute Roles• Configured for each attribute you want to drive an attribute role• Linked to users with a matching attribute value
• Optional Roles• Created to group access rights that are optional within an
Organizational Unit• Linked/unlinked through Self Service
• Personal Roles• Created to group access rights that do not fit in any other Role Type• Each user has their own Personal Role
Role Mining Statistics
• Will link Permissions to Roles, based on largest common denominator
• Parameters can be set using the Role Generator wizard• Examples:
• If more than 95% of the Users in a Job Title share the same Permission, then link the Permission to the Role
• If all Users in a department share the same Permission, then link the Permission to the Role
• If more than 30% of the Users in a department share a permission, then create an Optional Role for this permission
• Role Model can be analyzed, modified or Role Mining can be repeated with other parameters
• Role Model can be created off-line from Excel or .CSV files and imported in BHOLD
Sample Input Files EmployeesOrganizationGroup Memberships
• Group Memberships
• Employees
• Organization
Role Mining Dataflow
Active
DirectoryBHOLD
Model Generator
HR
System
Excel or .CSV
files
Excel or .CSV
files
AD Accounts,
Groups and Group
Memberships
Employee, Manager
and Orgunit Info
Membership Roles
Attribute Roles
Optional Roles
Personal Roles
Role Mining
Sample of Generated Model
Users linked to the role, based on their OrgUnit membership
Permissions linked to the role, based on the % of users in the Orgunit that share these permission
New Membership role created for the OrgUnit
Recap Role Mining
• Roles are used to assign Permissions to Users• Permissions can be Security Groups or access rights
in other applications• Different Role Types can be used• Most Roles are maintained automatically• Most Roles are linked automatically to users• Role content can be generated from existing access
rights
Attestation
at·test (-tst)v. at·test·ed, at·test·ing, at·tests• v.tr.1. To affirm to be correct, true, or genuine: The date of the painting was
attested by the appraiser.
• A periodic process to review existing access rights of employees by their Steward – typically the line manager• Create an Attestation Campaign• Have managers fill out Attestation forms• Collect information, monitor progress, handle exceptions, remove
denied access rights
Attestation experience
• What do you need before you can start?• Identify stewards – typically from HR• Upload existing Group Memberships
• Who does what?• Administrator: Define a Campaign• Attestation module: Send out Attestation Requests• Stewards: Fill out the Attestation Forms• Attestation module: Send out Reminders• Administrator: Monitor Progress• Attestation module: Automatic correction in target
How the Attestation data flow works
MV
Object set
Source HR Active
Directory
CS
CSCS
Users,
OU’s
Accounts,
Prov.
FIM Sync Svc
BHOLD Components
and responsible data flowFIM Components
and data flow
MA
BHOLD
MAMA
MV
Extn
MA
BHOLD
Attestation
Website
Email Server
BHOLD
Attestation
ServiceWhich
Employee is in which
department?Who is
managing?
Which Users are in which
AD Groups?
Can you please go to
the Attestation
Website and fill out the
form?
Employee data flows
into MV
User Group membershi
ps flows into MV
User, Groups and Employee data flows
into BHOLD
A new Campaign is created
Emails are sent
to Stewards
Steward fills out the form
Corrections are sent to BHOLD
Corrections are de-
provisioned in AD
Recap Attestation
• Attestation ensures that users only have those Groups they should have
• Puts the control back in the hands of the Line Manager
• Role based approach allows for delegation of Attestation tasks
• Automatic removal of unwanted access rights enforces the results of Attestation
• Monitoring tools allow you to follow the progress of the Attestation process
Self Service experience• What it does
• Request user role change• By a Line Manager• By an Employee
• Gets an Approval• By a Line Manager• By a Role owner• By a Security Officer
• User gets put in multiple SGs
BHOLD Self-Service
• Allow• a user to request or revoke a role for himself• a user to delegate a role to another person• a manager to request or revoke a role for users he is responsible
for• approval workflow integration with FIM2010
• Integrated in FIM2010 portal • Approval workflow uses FIM Workflows
Self Service Data Flow
MVActive
Directory
CS
CS
FIM Sync Svc
BHOLD
MV Extn
BHOLD
Self Service
Manager makes a Request
FIM Portal
Request becomes a Workflow
FIM2010 sends out Approval messages
Manager opens
Self ServicePortal
“Can this User get
this Role?”
“Yes, he can!”
Role Owner approves request
Available Roles and Employees
Request is Approved
Role is assigned to
User
Groups are linked to
Accounts in AD
AD
MA
BHOLD
MA
Groups are linked to Accounts
What can this
Manager Request?
Recap Self Service
• Allows end user or manager to request for adding or removing of a Role
• Allows for temporary Role assignments• Has an Approval process
• Line Manager• Role Owner• Security Offices
• Is automatically provisioned after approval
Managing Security Groups with BHOLD• Identify owners of existing Groups• Categorize sensitivity• Manage lifecycle for groups
• Who gets to create groups?• Make sure they register:
• Who owns the group?• What is the purpose of the group?• What is the request and approval process?
• Enforce group membership from your administration• Let FIM20 be authoritative for group memberships• Only assign groups memberships through BHOLD/FIM2010
Scope your efforts• Don’t do high business impact groups
• Probably already some process in place• Probably a complex process with high visibility and
high risks• Don’t worry about the “I don’t care groups”:
• groups with no members or groups that do not give access to any resources
• Focus on medium importance groups:• Large volume• Many resources• Many group members• High ROI
Steps to regain control over Groups - 11. Get your data
• Which groups are there?• Which members do they have?• Which resources do they access?
2. Clean up your data• Get rid of ghost accounts – accounts that do not link to an
employee• Get rid of ghost groups – groups that do not have members or
give no access to resources
3. Filter out High Business Impact groups• Access to sensitive data• Access by “sensitive” employees
4. Upload into a basic role model
Steps to regain control over Groups - 2
5. Run Attestation to clean up your memberships6. Start managing
• Maintain Group memberships by:• Using Auto Provisioning (60%)• Using Self Service (30%)• Using Manual assignment (10%)
• Do regular Attestation campaigns to maintain control
Making AD Entitlements Understandable for the business• Generate a Role Model that is easy to understand
for the business• Populate the Role Model using Model Generator• Maintain the Role Model using Attestation• Use Automatic Provisioning for the majority of AD
entitlements• Use Self Service to allow the business to take
responsibility• Use Personal Roles to manage exceptions
How to learn more
• Download Microsoft BHOLD Suite from MSDN: https://msdn.microsoft.com/us-eng/subscriptions/securedownloads/#FileId=49036
• Available to all FIM 2010 R2 customers (based on FIM Software Assurance and CALs)
SIA, WSV, and VIR Track Resources
DOWNLOAD Windows Server 2012 Release Candidate
microsoft.com/windowsserver
#TE(sessioncode) DOWNLOAD
Microsoft System Center 2012 Evaluation
microsoft.com/systemcenterHands-On Labs
Talk to our Experts at the TLC
Resources
Connect. Share. Discuss.
http://europe.msteched.com
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Resources for Developers
http://microsoft.com/msdn
Evaluations
http://europe.msteched.com/sessions
Submit your evals online
© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to
be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS
PRESENTATION.
Top Related